[syslog-ng] Syslog-ng SRC IP filter doesn't appear to work
Matty
matty91 at gmail.com
Mon Oct 19 21:43:21 CEST 2009
Howdy,
I am using syslog-ng 3.0.4, and am encountering a bizarre issue where
a small percentage of messages don't match the following filter:
filter f_hosts { (host("192.168.1.2") or
host("192.168.1.3") or
host("192.168.1.4"));
};
log { source(network);
filter(f_hosts);
destination(d_messages);
flags(final);
};
log {
source(network);
destination(d_catchall);
};
When the hosts 192.168.1.[2-4] send messages to our syslog-ng server,
99% of the time they are routed to the d_messages destination. But in
a few rare cases, messages similar to the following don't match and
are send to the d_catchall destination:
Text data:
Syslog message: KERN.INFO: Oct 19 14:54:55 \t<STK T10000B >
Raw data:
<6>Oct 19 14:54:55 <STK T10000B >
I verified the SRC IP address for the message in question is correct,
and I also ran syslog-ng with the -d -e and -F options to watch
message processing. For some reason syslog-ng doesn't match against
the filter listed above, which is quite bizarre. I also tried enabling
the 'no-parse' flag, but that doesn't appear to help either. Has
anyone experienced this issue? Any thoughts on how to debug this issue
further?
Thanks,
- Ryan
More information about the syslog-ng
mailing list